[SwitchB] dot1x
[SwitchB] interface gigabitethernet 1/0/1
[SwitchB-gigabitethernet1/0/1] dot1x
[SwitchB-gigabitethernet1/0/1] quit
[SwitchB] interface gigabitethernet 1/0/2
[SwitchB-gigabitethernet1/0/2] dot1x
[SwitchB-gigabitethernet1/0/2] quit
# Add local access user test.
[SwitchB] local-user test
[SwitchB-luser-test] service-type lan-access
[SwitchB-luser-test] password simple test
[SwitchB-luser-test] quit
# Enable ARP detection for VLAN 10.
[SwitchB] vlan 10
[SwitchB-vlan10] arp detection enable
# Configure the upstream port as a trusted port and the downstream ports as untrusted ports (a port is
an untrusted port by default).
[SwitchB-vlan10] interface gigabitethernet 1/0/3
[SwitchB-gigabitethernet1/0/3] arp detection trust
[SwitchB-gigabitethernet1/0/3] quit
After the preceding configurations are complete, when ARP packets arrive at interfaces
GigabitEthernet1/0/1 and GigabitEthernet1/0/2, they are checked against 802.1X security entries.
Configuring ARP Automatic Scanning and Fixed ARP
Introduction
ARP automatic scanning is usually used together with the fixed ARP feature.
With ARP automatic scanning enabled on an interface, the device automatically scans neighbors on
the interface, sends ARP requests to the neighbors, obtains their MAC addresses, and creates
dynamic ARP entries.
Fixed ARP allows the device to change the existing dynamic ARP entries (including those generated
through ARP automatic scanning) into static ARP entries. The fixed ARP feature can effectively
prevents ARP entries from being modified by attackers.
You are recommended to use ARP automatic scanning and fixed ARP in a small-scale network such as
a cybercafe.
Configuration Procedure
Follow these steps to configure ARP automatic scanning and fixed ARP:
1-11